WHAT IS CLAIMED IS: 



1 . A network gateway device, comprising: 

a physical interface for connection to a medium; 

an ingress processor system for ingress processing of all or part of packets received 
from said physical interface and for sending ingress processed packets for egress 
processing; 

an egress processor system for receiving ingress processed packets and for egress 
processing of all or part of received packets for sending to the physical interface; 

interconnections including an interconnection between said ingress processor 
system and said egress processor system, an interconnection between said ingress 
processor system and said physical interface and an interconnection between said egress 
processor system and said physical interface. 

2. A network gateway device according to claim 1, further comprising a packet 
queue establishing a queue of packets location awaiting transmission, said packet queue 
being the exclusive buffer location for packets between packets entering the device and 
packet transmission. 

3. A network gateway device according to claim 1 , wherein packets exit the device 
at a rate of the line established at the physical interface. 



26 



4. A network gateway device according to claim 1, wherein said ingress 
processing system processes packets including at least one or more of protocol translation, 
de-encapsulation, decryption, authentication, point-to-point protocol (PPP) termination 
and network address translation (NAT) and said egress processing system processes 
packets including at least one or more of protocol translation, encapsulation, encryption, 
generation of authentication data, PPP generation and NAT. 

5 . A network gateway device according to claim 1 , wherein said ingress processor 
system includes a fast path processor subsystem processing packets at speeds greater than 
or equal to the rate at which they enter the device. 

6. A network gateway device according to claim 5, wherein said fast path 
processor system provides protocol translation processing converting packets from one 
protocol to another protocol. 

7. A network gateway device according to claim 5, wherein said egress processor 
system includes a fast path processor subsystem processing packets at speeds greater than 
or equal to the rate at which they are to leave the device. 

8. A network device according to claim 5, wherein said ingress processor system 
includes a security processor subsystem for processing security packets requiring one or 
more of decryption and authentication, said processing occurring concurrently with fast 
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path processor packet processing. 

9. A network device according to claim 7, wherein said egress processor system 
includes a security processor subsystem for processing security packets requiring one or 
more of encryption and generation of authentication data, said processing occurring 
concurrently with fast path processor packet processing. 

1 0. A network device according to claim 7, wherein said ingress processor system 
includes a special care packet processor for additional packet processing concurrently 
with fast path processor packet processing, said special care packet processor processing 
packets including one or more of network address translation (NAT) processing and NAT 
processing coupled with application layer processing (NAT-ALG). 

1 1 . A network device according to claim 7, wherein said ingress processor system 
includes a control packet processor for additional packet processing concurrently with fast 
path processor packet processing, including processing packets signaling the start and end 
of data sessions, packets used to convey information to a particular protocol and packets 
dependent on interaction with external entities. 

12. A network device according to claim 1, wherein said physical interface 
includes a line card and said ingress processor system is provided as part of a service card 
and said egress processor system is provided in one of said service card and another 

28 



service card and said interconnections include: 

a line card bus connected to said line card; 

a service card bus connected to at least one of said service card and said another 
service card; and 

a switch fabric connecting said line card to at least one of said service card and 
said another service card. 

13. A network device according to claim 12, wherein said service card includes 
said ingress processor system and said egress processor system and said another service 
card includes another ingress processor system for processing all or part of packets 
received from said line card and for sending ingress processed packets for egress 
processing and another egress processor system for receiving ingress processed packets 
and for processing all or part of received packets for sending to said line card, whereby 
packets may be sent between service cards for ingress processing by one service card and 
egress processing by another service card or for ingress processing using more than one 
service card. 

14. A network gateway device according to claim 1 3, wherein each of said service 
cards is identical and a spare service cards is provided, for functionally replacing any one 
of the other service cards to provide redundancy. 

15. A network gateway device according to claim 13, wherein said physical 
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interface includes another line card connected by said switch fabric to at least one of said 
service card and said another service card. 

16. A network gateway device according to claim 15, wherein said switch fabric 
connects any one of said line cards to any one of said service cards, whereby any line card 
can send packet traffic to any service card and routing of packet traffic is configured one 
of statically and dynamically by the said line card. 

17. A network gateway device according to claim 13, wherein: 

said service card bus includes a static bus part for connection of one of said service 
cards through said switch fabric to one of said line cards and a dynamic bus for 
connecting a service card to another service card through said fabric card allowing any 
service card to send packet traffic requiring ingress processing to any other service card 
for ingress processing and allowing any service card to send traffic requiring egress 
processing to any other service card for egress processing, whereby the system can make 
use of unused capacity that may exist on other service cards. 

18. A network gateway device, comprising: 

a plurality of line cards having a physical interface for connection to a medium 

and; 

a plurality of service cards, each service card including an ingress processor for 
processing all or part of data received from one of said line cards and for sending ingress 
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processed packets for egress processing and each of said service cards including an egress 
processor for receiving ingress processed packets and for processing all or part of 
received packets for sending to one of said line cards; 

a line card bus connected to each of said line cards; 
a service card bus connected to each of said service cards; and 
a switch fabric connecting individual line cards to individual service cards, 
whereby packets may be sent between service cards for ingress processing by one service 
card and ingress processing by another service card or for shared ingress processing 
between more than one service card. 

19. A network gateway device, comprising: 
a first line card; 

a first service card for packet processing including a first ingress processing system 
for at least one or more of de-encapsulation and decryption and a first egress processing 
system for at least one or more of encapsulation and encryption; 

a second line card; 

a second service card for packet processing including a second ingress processing 
system for at least one or more of de-encapsulation and decryption and a second egress 
processing system for at least one or more of encapsulation and encryption; 

a switch fabric and connection interfaces connecting at least said first line card to 
said first service card, connecting said second line card to said second service card and 
connecting said first service card to said second service card. 
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20. A network system according to claim 19, wherein: 

said connection interfaces include a static bus part for connection of one of said 
service cards through said switch fabric to one of said line cards and a dynamic bus for 
connecting a service card to another service card through said fabric card allowing any 
service card to send packet traffic requiring ingress processing to any other service card 
for ingress processing and allowing any service card to send traffic requiring egress 
processing to any other service card for egress processing, whereby the system can make 
use of unused capacity that may exist on other service cards. 

21. A network system according to claim 19, wherein: each of said first ingress 
processing subsystem, said first egress processing subsystem, said second ingress 
processing subsystem and said second egress processing subsystem include physically 
separate packet processing. 

22. A network gateway device according to claim 1 9, wherein each of said service 
cards is identical and a spare service cards is provided, for functionally replacing any one 
of the other service cards to provide redundancy. 

23. A network gateway device according to claim 19, wherein said switch fabric 
connects any one of said line cards to any one of said service cards, whereby any line card 
can send packet traffic to any service card and routing of packet traffic is configured one 
of statically and dynamically to establish virtual traffic segregation for segregating traffic 
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using one or more common service card and line card and to establish physical traffic 
segregation wherein traffic is segregated using groups of one or more service card and one 
or more line card. 

24. A network gateway device according to claim 19, wherein said switch fabric 
connects any one of said line cards to any one of said service cards, whereby any line card 
can send packet traffic to any service card and routing of packet traffic is configured one 
of statically and dynamically by said line card. 

25. A network gateway process, comprising: 

receiving packets from a network via a physical interface connected to a medium; 

ingress processing of packets, with an ingress processing system, including one or 
more of protocol translation processing, de-encapsulation, decryption, authentication, 
point-to-point protocol (PPP) termination and network address translation (NAT); 

transferring packets to an egress packet processing subsystem; 

egress processing said packets, with the egress processing system, including one 
or more of protocol translation, encapsulation, encryption, generation of authentication 
data, PPP generation and NAT processing. 

26. A process according to claim 25, further comprising: 
establishing a queue of packets awaiting transmission; and 

transmitting queued packets via the physical interface, said packet queue being the 
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exclusive buffer for packets between packets entering the ingress processing system and 
packet transmission. 

27. A process according to claim 25, wherein packets are processed by said 
ingress processor at a rate of ingress at the physical interface. 

28. A process according to claim 25, wherein said ingress processor system 
includes a fast path processor subsystem processing packets at speeds greater than or 
equal to the rate at which packets enter the ingress processor system. 

29. A process according to claim 28, wherein said fast path processor system 
provides protocol translation processing converting packets from one protocol to another 
protocol. 

30. A process according to claim 28, wherein said ingress processor system 
includes a security processor subsystem for processing security packets requiring one or 
more of decryption and authentication, said processing occurring concurrently with fast 
path processor packet processing. 

31. A process according to claim 28, wherein said ingress processor system 
includes a special care packet processor for additional packet processing concurrently 
with fast path processor packet processing, said special care packet processor processing 
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packets including one or more of network address translation (NAT) processing and NAT 
processing coupled with application layer processing (NAT-ALG). 

32. A process according to claim 28, wherein said ingress processor system 
includes a control packet processor for additional packet processing concurrently with fast 
path processor packet processing, including processing packets signaling the start and end 
of data sessions, packets used to convey information to a particular protocol and packets 
dependent on interaction with external entities. 

33. A process according to claim 28, further comprising: 
providing said physical interface including a line card; 
providing said ingress processor system as part of a service card; 

providing said egress processor system is provided in one of the service card and 
another service, 

providing a line card bus connected to the line card; 

providing a service card bus connected to at least one of the service card and the 
another service card; and 

providing a switch fabric connecting the line card to at least one of the service card 
and the another service card. 

34. A process according to claim 25, further comprising: 

providing said ingress processor system and said egress processor system as part 

35 



of said service card; 

providing another service card with another ingress processor system for 
processing all or part of packets received from said line card and for sending ingress 
processed packets for egress processing and another egress processor system for receiving 
ingress processed packets and for processing all or part of received packets for sending 
to the line card; 

sending packets between service cards for ingress processing by one service card 
and egress processing by another service card or for ingress processing using more than 
one service card. 

35. A process according to claim 33, further comprising: 
providing another line card as part of said physical interface; 

connecting said another line card, via said switch fabric to at least one of said 
service card and said another service card* 

36. A process according to claim 35, further comprising: 

using said switch fabric to connect any one of said line cards to any one of said 
service cards, whereby any line card can send packet traffic to any service card and 
routing of packet traffic is configured one of statically and dynamically by the said line 
card. 

37. A process according to claim 33, further comprising: 
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providing said service card bus as a static bus for connection of one of said service 
cards through said switch fabric to one of said line cards and a dynamic bus for 
connecting a service card to another service card through said fabric card allowing any 
service card to send packet traffic requiring ingress processing to any other service card 
for ingress processing and allowing any service card to send traffic requiring egress 
processing to any other service card for egress processing, whereby the system can make 
use of unused capacity that may exist on other service cards. 

38. A network gateway process according to claim 25, further comprising: 

receiving packets from a network with a first packet protocol as part of said step 
of receiving packets; 

using a first module ingress processing subsystem for said step of ingress 
processing of packets to produce end-to-end packets; 

transferring the end-to-end packets to a second module egress packet processing 
subsystem; 

using a second module egress processing subsystem for egress packet processing 
to produce packets for sending to a network with a second packet protocol; 

receiving packets from the network with the second packet protocol; 

using a second module ingress processing subsystem for ingress processing to 
produce end-to-end packets; 

transferring the end-to-end packets to a first module egress processing subsystem; 

using the first module egress packet processing subsystem for egress packet 
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processing to produce packets for sending to the network with the first packet protocol. 

39. The process according to claim 35, wherein 

the first module is a service card for packet processing with the ingress processing 
subsystem separate from the egress processing subsystem and the second module is a 
service card for packet processing with the ingress processing subsystem separate from 
the egress processing subsystem. 

40. The process according to claim 38, further comprising: 
providing a switch fabric; 

connecting a first line card to the switch fabric via a bus, the first line card 
providing a network interface; 

connecting the first service card to the switch fabric via a bus; 

connecting a second line card to the switch fabric via a bus, the second line card 
providing a network interface with the first packet protocol; 

connecting the second service card to the switch fabric via a bus; 

transferring packets from the first line card to the first service card via the fabric 
card and connected busses; 

transferring packets from the first service card to the second service card via the 
fabric card and connected busses; 

transferring packets from the second service card to the second line card via the 
fabric card and connected busses. 
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41. The process according to claim 40, further comprising: 

transferring packets from the second line card to the second service card via the 
fabric card and connected busses; 

transferring packets from the second service card to the first service card via the 
fabric card and connected busses; 

transferring packets from the first service card to the first line card via the fabric 
card and connected busses. 

42. A network gateway process according to claim 25, further comprising 
providing a switch fabric; 

connecting a first line card to the switch fabric via a bus, the first line card 
providing a network interface; 

connecting a first service card to the switch fabric via a bus 

connecting a second line card to the switch fabric via a bus, the second line card 
providing a network interface; 

connecting a second service card to the switch fabric via a bus; 

transferring packets from the first line card to the first service card; 

processing packets at the first service card including one or more of de- 
encapsulation and decryption as part of said step of said step of ingress processing of 
packets; 

transferring packets from the first service card to the second service card; 
processing packets at the second service card including one or more of 
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encapsulation and encryption as part of said step of egress processing packets; 
transferring packets from the second service card to the second line card. 

43. A process according to claim 42 ? wherein each of said first service card and 
said second service card process ingress packets from a line card, including encapsulation 
and encryption processing separate from processing egress packets to a line card, 
including de-encapsulation and decryption with separate processing subsystems. 

44. The process according to claim 29 ? further comprising: 

segregating traffic including physical segregating data traffic using one or more 
service card and one or more line card with traffic flows segregated from data traffic on 
one or more other service card and one or more other line card. 
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